A software update framework for macOS
This is the same as 2.6.1 - Important security fix except it includes a bug fix for generate_appcast (#2555) where archives may have not been able to unarchive.
Changes:
This release contains a security fix backported from 2.6.1.
The minimum system requirements for this release is still macOS 10.9.
Note: this release is not available for CocoaPods yet (because I need to first fetch an old macOS/Xcode setup).
This update fixes a vulnerability that allows an attacker to replace an existing signed update with another payload, which bypasses Sparkle’s (Ed)DSA signing checks (#2550). Apps that serve updates over HTTPS (most if not all apps) are not immediately impacted because the server hosting the update (or a CA) needs to first be compromised for an attacker to exploit this issue. Updating Sparkle with this fix ASAP is still strongly recommended however because an important security layer can be bypassed.
All older versions of Sparkle are affected by this bug. This fix is back ported to 1.27.3 for Sparkle 1. For older versions of Sparkle 2, a 2.2.x branch is available which is based on 2.2.2.
Please check the Discussions topic for this release for more details or follow up.
Update: generate_appcast may not work for certain archive types (https://github.com/sparkle-project/Sparkle/issues/2554) in 2.6.1. This is fixed in 2.6.2.
Overall changes in 2.6.1:
Changes:
This update is recommended for sandboxed apps that enable Sparkle's Downloader XPC Service because it fixes a bug where an app may show a "Downloader" differing from previously opened versions
prompt warning. The sandboxing guide for the Downloader Service and Code Signing has been updated.
For users running macOS 14.4 or later, a Gatekeeper scan is performed on the new update before installing it, which may skip a "Verifying.." dialog when relaunching the app.
The Downloader XPC Service is no longer sandboxed by default. If you use this service, please check the updated sandboxing guide.
For users running macOS 14.4 (beta) or later, a Gatekeeper scan is performed on the new update before installing it.
Changes:
The Downloader XPC Service is no longer sandboxed by default. If you use this service, please check the updated sandboxing guide.
For users running macOS 14.4 (beta) or later, a Gatekeeper scan is performed on the new update before installing it.
Changes:
Changes:
Please also see the changes in 2.5.0.
Changes:
This release includes enhancements to Sparkle's release notes view and compatibility improvements for macOS 14 Sonoma.